MIKROTIK - Two LANs connected with switch

networking ip ping mikrotik

14,622

Your static routes are invalid.

You need to delete all your static routes from both sites and add the following routes on each router:

Run on SITE2:
/ip route add dst-address=192.168.3.0/24 gateway=172.30.2.222

Run on SITE3:
/ip route add dst-address=192.168.2.0/24 gateway=172.30.2.221

Also the bridges are unnecessary so delete them too.
You sould also delete the masquerade rule in Firewall > NAT. You don't need that since you have static routes between the routers and both networks can reach each other.

The rest of the firewall rules look OK so enabling them shouldn't interfere.

14,622

Gregor

Updated on September 18, 2022

Comments

Gregor almost 2 years
I have a very simple network. I have two LAN networks (192.168.2.0/24 and 192.168.3.0/24) connected via a router at each site and the routers are connected via a switch.

http://postimg.org/image/3y1uysszn/

The routers are MIKROTIK, the switch is some of the shelf equipment. I've set up all the routes, removed all the firewalls but I still can't ping from one PC to another. The strange thing is that when I use MIKROTIKs IP Scan tool, it finds all of the equipment, but when I try to ping lets say from PC at site 2, I can't get further than 172.30.2.222.

If I disable the bridge between LAN and WAN at site 2, I can (from the PC at site 2) ping to LAN IP: 192.168.3.50, which is at site 3. At the same time I can't ping to LAN IP: 192.168.2.1 from PC at site 3. If I reenable the bridge at site 2, I again can't get any further than 172.30.2.222 from site 2.

Does anyone have an idea what I am doing wrong? Is the PING somehow disabled in mikrotik routers?

Configuration:
```
[admin@ENG. SITE 3] >> /ip address export 
/ip address 
add address=192.168.3.1/24 comment="default configuration" interface=\ 
"ETH. 2 LAN" network=192.168.3.0 
add address=172.30.2.222/24 interface="ETH. 1 WAN" network=172.30.2.0 

[admin@ENG. SITE 3] >> ip route export 
/ip route 
add distance=1 gateway=172.30.2.221 add distance=1 dst-address=172.30.2.0/32 gateway="ETH. 1 WAN" 
add distance=1 dst-address=192.168.2.0/24 gateway="ETH. 1 WAN"

[admin@ENG. SITE 3] >> ip firewall export 
/ip firewall filter 
add chain=input comment="default configuration" disabled=yes protocol=icmp
add chain=input comment="default configuration" connection-state=established \ 
disabled=yes 
add chain=input comment="default configuration" connection-state=related \ 
disabled=yes 
add action=drop chain=input comment="default configuration" disabled=yes \ 
in-interface="ETH. 1 WAN"
add chain=forward comment="default configuration" connection-state=established \ 
disabled=yes 
add chain=forward comment="default configuration" connection-state=related \ 
disabled=yes 
add action=drop chain=forward comment="default configuration" connection-state=\ 
invalid disabled=yes 

/ip firewall nat 
add action=masquerade chain=srcnat comment="default configuration" \ 
out-interface="ETH. 1 WAN" 

[admin@ENG. SITE 2] > ip address export 
/ip address 
add address=192.168.2.1/24 comment="default configuration" interface "ETH. 2 LAN" network=192.168.2.0 
add address=172.30.2.221/24 interface="ETH. 1 WAN" network=172.30.221.0

[admin@ENG. SITE 2] > ip route export 
/ip route 
add disabled=yes distance=1 gateway=172.30.2.222 
add distance=1 dst-address=192.168.3.0/24 gateway="ETH. 1 WAN" 

[admin@ENG. SITE 2] > ip firewall export 
/ip firewall filter 
add chain=forward comment="default configuration" connection-state=e disabled=yes 
add chain=forward comment="default configuration" connection-state=r disabled=yes 
add action=drop chain=forward comment="default configuration" connec invalid disabled=yes 
/ip firewall nat 
add action=masquerade chain=srcnat comment="default configuration" \ 
out-interface="ETH. 1 WAN"
```
- Cha0s almost 9 years
  
  Please post your configuration. /ip address export /ip route export /ip firewall export
- joeqwerty almost 9 years
  
  What do you mean If I disable the bridge between LAN and WAN at site 2? Do you have the routers in bridged mode? If so, why?
- Gregor almost 9 years
  
  First setting for SITE 2: postimg.org/image/76ew41ds1 Second setting for SITE 3: postimg.org/image/4d28tn0rp Yes there is a bridge between WAN and LAN on each router. Did I make a mistake? Shouldn't there be a bridge? BR and thank you!
- Cha0s almost 9 years
  
  The whole config is kind of a mess. The static routes are wrong, the bridge is unnecessary. Please post the exports I asked so I can fix them for you and post a proper answer.
- Gregor almost 9 years
  
  [admin@ENG. SITE 3] >> /ip address export # jan/03/1970 02:59:39 by RouterOS 6.18 # software id = KTNN-I561 #/ip address add address=192.168.3.1/24 comment="default configuration" interface=\ "ETH. 2 LAN" network=192.168.3.0 add address=172.30.2.222/24 interface="ETH. 1 WAN" network=172.30.2.0 [admin@ENG. SITE 3] >> ip route export # jan/03/1970 03:00:08 by RouterOS 6.18 # software id = KTNN-I561 # /ip route add distance=1 gateway=172.30.2.221 add distance=1 dst-address=172.30.2.0/32 gateway="ETH. 1 WAN" add distance=1 dst-address=192.168.2.0/24 gateway="ETH. 1 WAN
- Gregor almost 9 years
  
  [admin@ENG. SITE 3] >> ip firewall export # jan/03/1970 03:00:18 by RouterOS 6.18 # software id = KTNN-I561 # /ip firewall filter add chain=input comment="default configuration" disabled=yes protocol=icmp add chain=input comment="default configuration" connection-state=established \ disabled=yes add chain=input comment="default configuration" connection-state=related \ disabled=yes add action=drop chain=input comment="default configuration" disabled=yes \ in-interface="ETH. 1 WAN"
- Gregor almost 9 years
  
  add chain=forward comment="default configuration" connection-state=established \ disabled=yes add chain=forward comment="default configuration" connection-state=related \ disabled=yes add action=drop chain=forward comment="default configuration" connection-state=\ invalid disabled=yes /ip firewall nat add action=masquerade chain=srcnat comment="default configuration" \ out-interface="ETH. 1 WAN" [admin@ENG. SITE 3] >> [admin@ENG. SITE 3] >>
- Gregor almost 9 years
  
  [admin@ENG. SITE 2] > ip address export # jan/02/1970 00:03:27 by RouterOS 6.18 # software id = EGZ3-Z21P # /ip address add address=192.168.2.1/24 comment="default configuration" interface "ETH. 2 LAN" network=192.168.2.0 add address=172.30.2.221/24 interface="ETH. 1 WAN" network=172.30.2.
- Gregor almost 9 years
  
  [admin@ENG. SITE 2] > ip route export # jan/02/1970 00:03:35 by RouterOS 6.18 # software id = EGZ3-Z21P # /ip route add disabled=yes distance=1 gateway=172.30.2.222 add distance=1 dst-address=192.168.3.0/24 gateway="ETH. 1 WAN" [admin@ENG. SITE 2] > ip firewall export # jan/02/1970 00:03:40 by RouterOS 6.18 # software id = EGZ3-Z21P
- Gregor almost 9 years
  
  # /ip firewall filter add chain=forward comment="default configuration" connection-state=e disabled=yes add chain=forward comment="default configuration" connection-state=r disabled=yes add action=drop chain=forward comment="default configuration" connec invalid disabled=yes /ip firewall nat add action=masquerade chain=srcnat comment="default configuration" \ out-interface="ETH. 1 WAN"
Gregor almost 9 years

Perfect. Thank you. You've helped a lot!What if I wish to ping devices in the same LAN (lets say I have several layer 3 devices at SITE2). Do I need to use a bridge?
Cha0s almost 9 years

You mean to bridge several ethernet ports on the mikrotik at site 2 so those ports act as a switch? You simply create the bridge, add the ethernet ports (not the 'wan' port) and you change the interface on the IP address 192.168.2.1/24 to the bridge instead of the ethernet port.
Gregor almost 9 years

Yes I wish to bridge several ports (ports 2,3,4) so they can share UDP packets between them. At the same time, I have to be able to ping from SITE 2 to SITE 3. What about the setting with the master port for each port? I cant add several ports to a bridge, it says Port (SOMETHING) is already slave.
Cha0s almost 9 years

Actually yes, that's a better solution (wire speed switching). Assuming ETH. 2 LAN is port 2, then on ports 3 and 4 you set the master port to ETH. 2 LAN and those 3 ports should work as a switch. You don't need to change the IP's interface I mentioned before with the bridge.
Gregor almost 9 years

OK thanks. Unfortunately I have another problem. I have the following cofigurations on SITE (freetexthost.com/4d3spjypji) 1 and SITE 2 (freetexthost.com/qb2rz61gzj). I can ping anywhere including PC 192.168.2.30 from SITE 1, but I can't ping to the PC at SITE 1 (192.168.1.24) from SITE 2. Othervise I can ping from SITE 2 to internal LAN on SITE 1 (192.168.1.1). I really appreciate your help Cha0s!!!
Gregor almost 9 years

It was a windows firewall problem. I've left it ON on my work computer and it was causing problems. That's why I could ping my home computer (windows firewall turned off from start). Thank you for the help Cha0s. Best regards!
Gregor almost 9 years

How can I enable UDP port forwarding to a device on LAN SITE 1 (IP: 192.168.1.11, Port: 50011)?
Cha0s almost 9 years

Better create a new question for this since it's a different issue :)